Most bloggers and webmasters who use WordPress understand that you need to keep their core files up to date and also update any plugins that they may have. Fortunately, WordPress makes the process of doing so very easy and painless, usually just a click away, and most users seem to do it without thinking about it.

Unfortunately, most users don’t feel nearly as strongly about their themes. Among many WordPress users, there’s a mentality to equate “theme” with “design” and it is unfortunate because modern WordPress themes are much more than HTML and CSS. PHP, JavaScript and tighter integration with WordPress means that themes are capable of much more than laying out a page.

In short, the functionality of themes and plugins overlap greatly as even “basic” themes include additional elements that manipulate WordPress by adding new options and settings.

However, while all of this new functionality is a great thing for bloggers, especially those who want to easily design a great site, it’s bad news for security. WordPress themes are a potential security risk, just as with any plugin, and they require maintenance and testing to make sure they are still safe.

Unfortunately, few people give their themes such weighty consideration, possibly leading to major problems down the road.

The Pitfall

The pitfall to this issue is actually fairly straightforward. Since WordPress themes can run code in a way very similar to plugins, they can also create security issues very similar to plugins. This includes both issues for the WordPress installation and, potentially, issues for visitors of the site.

However, many bloggers still think of their themes as nothing but a collection of static HTML and CSS, even though themes often times add settings, manipulate the database and take other actions that clearly show their power.

To make matters worse, unlike with plugins, most bloggers do at least a modest amount of customization to their themes. This greatly complicates the process of updating them as any update would, without precautions, overwrite the changes and require the editing process to start all over again.

In short, even though themes often contain the exact same security issues as plugins, they are often much more difficult to update and many bloggers aren’t aware that they even should.

Because of this, notifications in WordPress that you should update a theme often go unheeded, even when there are serious security issues. This leaves many bloggers vulnerable to attack and can cause one’s blog to be compromised.

This, in turn, can have very dire consequences, especially if an outside attacker finds away to exploit the vulnerability and run unauthorized code. This can let them manipulate the site and make alterations to it at will, including use it for phishing attacks, to distribute malware or just generally cause havoc.

It’s a pitfall no blogger should risk falling into.

How to Avoid it

The first key to avoiding this pitfall is being aware of it. Understanding just how much scripting and how much potential danger is in and treating it with the appropriate amount of weight is critical to not leaving yourself open.

The second key, obviously, is better coding practices from theme developers. Theme developers should, generally, follow the same coding practices as plugin developers, a point Jaquith was making in his talk, and should use the same APIs for security reasons.

However, neither of these issues prevent themes from having security holes and neither address the ugly mess that can be updating themes. As discussed above, user customizations can make updating a theme a nightmare, forcing one to go back through and re-implement the changes they made.

The solution to this problem is child themes. Child themes are themes that get all of their functionality from their parent theme but keep the user customizations within their files. This means that all of the coding and potential security issues are in the parent theme while the user changes are in the child, making it possible to update the parent theme, fixing any security issues, without losing any of the changes.

The idea is remarkably simple and has been used widely by various WordPress theme frameworks, such as Genesis, to make it easier to change the look and feel of a site while keeping the main framekwork easy to update. This is why Automattic and the core developers of WordPress recommend this approach.

Unfortunately though, few themes make active use of child themes nor do they encourage their users to do so. However, it is very trivial to create a child theme for your site and should not add much to your development time if done correctly.

In short, if you are setting up a new site with a new theme, it is crucial to both be aware of the danger that insecure themes can create and take the steps to make sure that your theme is easily updated, namely using a child theme. If you do that, your site will be a great deal more security and likely have fewer issues with security.

This is why you should only use themes either from the WordPress Theme Gallery or directly from trusted third-party providers, not from intermediary download sites. Not only does this ensure that the code is clean, but it also ensures you can easily update the theme later.

Similarly, you may want to use a plugin like Theme Authenticity Checker (TAC), which scan theme files and look for malicious code. Though these plugins are far from perfect, they may help you vet new themes you put on your site and let you know if your theme has been altered without your knowledge.

In the end though, it’s past time for WordPress users to get serious about theme security, at least as serious about it as they are plugin security. The difference between the two is so minimal now, that ignoring the security of themes is foolish and very likely to land your site in serious trouble down the road.

Looking for flexible blogging and writing jobs?

Comments

Nice post, however… “Most WordPress bloggers” (that’s how you start the piece off)… that’s like saying “Most Microsoft Word writers” or “Most Excel bookkeepers.” WordPress is nothing more than an open source publishing platform powered by MySQL and PHP that is often used as a Content Management System (CMS). The only ‘WordPress bloggers’ are those who exclusively blog about WordPress. Just saying!

Glad you posted about this. I’m guilty of changing code in my theme, but the theme I’m using doesn’t notify me about updates, since it must be downloaded manually from the site I purchased it from. I don’t even know if the developer of the theme worries about security patching, etc.

I am not a developer. You say it is “trivial” to create a child theme, but that linked article looks big and scary to me, heheh.

I intend to go with Genesis or Thesis or perhaps Catalyst, but can’t afford them at this time.

That is a great point and i’m glad you said it. I’m not a programmer and i even know HTML and CSS just in basic so all this stuff about plugins, security and so one i would like to be done without my participation. I prefer child theme than problems in the future that i cant fix.

My understanding is that they don’t. There are many reasons for this, the biggest being that Google hosts the platform and not your server. As such, themes can’t make any modifications of the actual CMS.

Basically, with Blogger, themes are basically styling functions and not scripts like with WordPress. While they are still amazingly powerful and you can completely customize the look of a site, you can’t add features to your backend as with WP themes.

In that regard, Blogger is similar to Tumblr, themes might be a little less powerful but are a lot more secure.

Thank you for the response. I feel a little more secure, even if I am not in as much creative control as I would be on WordPress.

Hello Miriam,

Thank you for your response too. I remember the day that Google’s Blogger went down for a full day or more recently for whatever reason (I suspect that it was self-inflicted) and it caused a major disruption in my process, but I quickly adapted and just starting writing blogs off-line for later publication once Blogger came back on-line. Later in the day someone on one of the forum’s that was discussing the outage suggested using Posterous as a backup blogging platform.

Steven, it’s always a good idea to have some kind of backup for your blog/site. As for Posterous – it’s only as reliable as its servers are, and even they experienced down time when Amazon’s servers went down.

Creating a child theme is not as trivial as you make it sound. If you create new theme files in your child theme, or even make modifications to an existing theme file, then they won’t be updated when the parent theme is updated. When creating customized WordPress themes, most of the theme files need to be recreated or modified, so you lose all the updates. Rebecca wrote a post about our feelings on this on WPGarage:

Steven, the security issues with self-hosted WordPress sites result from site owners not updating their installation and plugins as they should, and often from issues related to shared hosting security. When your blog is on Blogger, or WordPress.com, they take care of those issues for you. But you might have other issues there, like recently when Blogger and WordPress.com went down for hours due to DDOS attacks and other things that affected their entire server base.

Excellent post! This brings out some very key points about the power of the WP theme system. However, as a lot of the comments are pointing out, what may be basic to one group of users is not true of all.

You correctly point out that “there’s a mentality to equate theme with design.” In my opinion, that’s as it should be. Just because there is the power to do something with a theme, doesn’t mean one should. That doesn’t mean everything should be done with plugins by any means. The power of the functions.php file makes things very efficient. But, as a plugin developer, I have found that the vast majority of incompatibilities with properly designed plugins stem from overtweaked themes.

The more complex something becomes on the back-end, the more likely it is to either break down, become inefficient, or both.

I would say the main problem is that themes do not separate formatting and functions. Many years ago we wrote all program codes in just one file and it took years and many brains to find out that formatting and function codes should be totally separated from each other. Now obviously themes programmers are going the wrong direction.